regexploit
regexploit copied to clipboard
doyensec
Find regular expressions which are vulnerable to ReDoS (Regular Expression Denial of Service)
Why not detect (a+)+ ``` Welcome to Regexploit. Enter your regexes: (a+)+ No ReDoS found. ```
Hello, Thank you for the amazing tool. I want to cite your work However, I cannot find the cff file for this repository. Is there an entry for correctly citing...
I have two expressions which run too long time: ``` $ time bin/regexploit Welcome to Regexploit. Enter your regexes: (?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)(regexp) ^C real 3m34,572s user 3m33,582s sys 0m0,016s ``` as you...
Hi, I ran into a problem with two regular expressions: ``` $ bin/regexploit Welcome to Regexploit. Enter your regexes: (?i)(?:(?:(?:(?:trunc|cre|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|alter|load)\s*?\(\s*?space\s*?\(|,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|(?:\r?\n)?\z|[^\"'`]+)|\Wselect.+\W*?from)(regexp) Error parsing: (?i)(?:(?:(?:(?:trunc|cre|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|alter|load)\s*?\(\s*?space\s*?\(|,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|(?:\r?\n)?\z|[^\"'`]+)|\Wselect.+\W*?from)(regexp) bad escape \z at position 164 No...
Good Tools!Will it support scan Java in the future?
I was scanning a bunch of regular expressions with some of them containing atomic groups. Every expression containing an atomic group triggered a parsing error indicating that `?> is an...
Cheeky feature request - could support for JSON or SARIF be added for output? This would allow for easier consumption in continuous integration, and similarly vulnerability management tools Json example:...
While scanning a large set of regular expressions I found some particularly nasty lines which hung my scripted scan. Perhaps a timeout flag could be added?
Should we expect `regexploit` to warn about the kind of [Regular Expression Backtracking](https://accidentallyquadratic.tumblr.com/post/147713851567/regular-expression-backtracking-on-stackoverflow) which [caused an outage on StackOverflow](https://stackstatus.net/post/147710624694/outage-postmortem-july-20-2016) (`^[\s\u200c]+|[\s\u200c]+$`) or is it out of scope of this tool?
